A method and apparatus for network security elements using endpoint resources. An embodiment of a method includes receiving a request for access to a network at an endpoint server. The method further includes detecting that the request for access to the network includes a request that is unauthorized. The request for access to the network is directed to a network security element.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for a distributed network security system providing a honeypot operation for a computer network, the method comprising: receiving a request from a sender for access to a network at a first endpoint server of a plurality of endpoint servers, each of the plurality of endpoint servers including an endpoint network security element, each of the endpoint network security elements being a part of the distributed network security system, the first endpoint server including a first endpoint network security element; detecting that the request for access to the network includes an unauthorized request; directing the unauthorized request to the first endpoint network security element of the first endpoint server, the first endpoint network security element being operable to emulate a server for purposes of processing of unauthorized requests received by the first endpoint server; generating at the first endpoint network security element an acknowledgement for the unauthorized request, the acknowledgement being sent from the first endpoint network security element to the sender of the request; and generating by the first endpoint network security element a statistic describing the unauthorized request and forwarding the statistic from the first endpoint network security element to a central security server for the network, the central security server operating as a controller for operations of the distributed security system, including the endpoint network security elements of the endpoint servers.
2. The method of claim 1 , further comprising analyzing unauthorized network traffic by the central security server, the unauthorized network traffic including the unauthorized request, wherein the analysis of the unauthorized network traffic by the central security server is based in part on the statistic generated by the first endpoint network security element.
3. The method of claim 1 , wherein generating the acknowledgement to the request includes determining that a reset condition is present and sending an acknowledgement instead of a reset response.
4. The method of claim 3 , wherein the request is addressed to an active network address, and wherein the unauthorized request includes a request for an unused element of an active network address, the unused element being an unused port for an active IP (Internet Protocol) address.
5. The method of claim 1 , wherein the first endpoint network security element operates without use of an operating system of the first endpoint server.
6. The method of claim 1 , wherein each endpoint network security element of the plurality of endpoint servers provides a honeypot or a darknet for unauthorized requests directed to the respective endpoint server.
7. The method of claim 1 , wherein the acknowledgement sent to the sender includes a time to live (TTL) value that is generated by the first endpoint network security element.
8. An endpoint server in a network having a distributed network security system comprising: an interface to receive requests for access to the network; one or more processors to run instructions in memory, the processors including: a module to detect an unauthorized request for access to the network, wherein the detected unauthorized request includes a request for an unused element of an active network address, the unused element being an unused port for an active IP (Internet Protocol) address; and a first endpoint network security element, the module to direct detected unauthorized requests to the first endpoint network security element, the first endpoint network security element being a part of the distributed network security system in which each of a plurality of endpoint servers includes a respective endpoint network security element, the first endpoint network security element being operable to provide an emulation of a server on the network, wherein the first endpoint network security element is further operable to generate and provide a response to the sender of the unauthorized request acknowledging the receipt of the unauthorized request, and wherein the first endpoint network security element is to generate a statistic describing the unauthorized request and forward the statistic to a central darknet server, the central darknet server acting as a controller of the first endpoint network security element in the distributed network security system.
9. The endpoint server of claim 8 , wherein the central darknet server is to analyze unauthorized network traffic detected in the distributed network security system, the analysis being based in part on the statistic generated by the first endpoint network security element.
10. The endpoint server of claim 8 , wherein the first endpoint network security element includes a management engine for the one or more processors of the server.
11. The endpoint server of claim 8 , wherein the detected unauthorized request comprises a request to establish a TCP (Transport Control Protocol) connection, and wherein the response to the request provided to the sender by the first endpoint network security element is an acknowledgment and synchronization (SYNACK) response.
12. The endpoint server of claim 8 , wherein the first endpoint network security element operates without involvement of an operating system of the endpoint server.
13. A distributed network security system for a network comprising: a router to provide access to endpoint servers; a plurality of endpoint servers coupled to the router, each of the plurality of endpoint servers including an endpoint network security element for the distributed network security system, including a first endpoint server containing a first endpoint network security element, wherein: the first endpoint network security element is operable to generate an emulation of a server that is connected to the router for purposes for handling unauthorized requests, the first endpoint server to detect unauthorized requests for access to the network, the first endpoint server directs unauthorized requests for access to the first endpoint network security element of the first endpoint server, and the first endpoint network security element is operable to generate and send a response to a sender of each received unauthorized request, and to generate and forward statistics regarding the detected unauthorized requests for centralized processing; and a central security server for the distributed security system that is separated from the operations of the network, the central server operating as a controller for the endpoint network security elements of the distributed security system, the central security server being operable to receive the statistics regarding the unauthorized requests from the first endpoint network security element and statistics from any other endpoint network security elements of distributed network security system.
14. The distributed network security system of claim 13 , wherein the central security server is operable to process the received statistics from the endpoint network security elements to analyze unauthorized network traffic for the network.
15. The distributed network security system of claim 13 , wherein the first endpoint network security element generating the acknowledgement to the request includes determining that a reset condition is present and sending an acknowledgement instead of a reset response.
16. The distributed network security system of claim 13 , wherein the first endpoint server is operable to detect an unauthorized request directed to an unused element of an active network address, wherein the unused element is an unused port for an active IP (Internet Protocol) address.
17. The distributed network security system of claim 13 , wherein the first endpoint network security element includes a management engine for a processor of the first endpoint server.
18. The distributed network security system of claim 13 , wherein the first endpoint network security element is operable to open an IP (Internet Protocol) tunnel between the first endpoint network security element and the central security server for the forwarding of the statistics regarding the unauthorized requests to the central security server.
19. A non-transitory computer-readable storage medium having stored thereon data representing sequences of instructions that, when executed by a processor, cause the processor to perform operations comprising: receiving a request from a sender for access to a network at a first endpoint server of a plurality of endpoint servers, each of the plurality of endpoint servers including an endpoint network security element, each of the endpoint network security elements being a part of a distributed network security system, the first endpoint server including a first endpoint network security element; detecting that the request for access to the network includes an unauthorized request; directing the unauthorized request to the first endpoint network security element of the first endpoint server, the first endpoint network security element being operable to emulate a server for purposes of processing of unauthorized requests received by the first endpoint server; generating at the first endpoint network security element an acknowledgement for the unauthorized request, the acknowledgement being sent from the first endpoint network security element to the sender of the request; and generating by the first endpoint network security element a statistic describing the unauthorized request and forwarding the statistic from the first endpoint network security element to a central security server for the network, the central security server operating as a controller for operations of the distributed security system, including the endpoint network security elements of the endpoint servers.
20. The medium of claim 19 , further comprising instructions that, when executed by the processor, cause the processor to perform operations comprising: analyzing unauthorized network traffic by the central security server, the unauthorized network traffic including the unauthorized request, wherein the analysis of the unauthorized network traffic by the central security server is based in part on the statistic generated by the first endpoint network security element.
21. The medium of claim 19 , wherein generating the acknowledgement to the request includes determining that a reset condition is present and sending an acknowledgement instead of a reset response.
22. The medium of claim 21 , wherein the request is addressed to an active network address, and wherein the unauthorized request includes a request for an unused element of an active network address, the unused element being an unused port for an active IP (Internet Protocol) address.
23. The medium of claim 19 , wherein the first endpoint network security element operates without use of an operating system of the first endpoint server.
24. The medium of claim 19 , wherein each endpoint network security element of the plurality of endpoint servers provides a honeypot or a darknet for unauthorized requests directed to the respective endpoint server.
25. The medium of claim 19 , wherein the acknowledgement sent to the sender includes a time to live (TTL) value that is generated by the first endpoint network security element.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 29, 2006
February 3, 2015
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.